Server/Jail/lrs0x018

Aus KSS
Wechseln zu: Navigation, Suche
Verwendungszweck
Mailing-Verteiler für Mails
GNU Mailman für lists.kss-sachsen.de

Ports[Bearbeiten]

installierte Ports[Bearbeiten]

  • bash
  • ca_root_nss
  • curl
  • db41
  • db48
  • db5
  • dialog4ports
  • dovecot2
  • expat
  • fcgi-devkit
  • fcgiwrap
  • gdbm
  • gettext
  • gettext-runtime
  • gettext-tools
  • help2man
  • icu
  • indexinfo
  • letsencrypt.sh
  • libedit
  • libexecinfo
  • libffi
  • libiconv
  • libtool
  • libyaml
  • m4
  • mailman
  • nginx
  • openssl
  • p5-Locale-gettext
  • patch
  • pcre
  • perl5
  • pkg
  • pkgconf
  • postfix
  • py27-dnspython
  • py27-setuptools27
  • python2
  • python27
  • readline
  • ruby
  • ruby20-bdb
  • sqlite3
  • sudo
  • vim-lite
  • zsh

zusätzliche Konfigurationsdateien[Bearbeiten]

Jail[Bearbeiten]

/etc/rc.conf[Bearbeiten]

nginx_enable="YES"
mailman_enable="YES"
postfix_enable="YES"
fcgiwrap_enable="YES"
fcgiwrap_user="www"

cron[Bearbeiten]

0 2 * * * root /usr/local/etc/nginx/ticket_key.sh

nginx[Bearbeiten]

ticket_key.sh[Bearbeiten]

Erstellt ein Ticketschluessel unter /tmp/nginx_ticketkey für SSL Session resumption.

nginx.conf[Bearbeiten]
 …
 Include /usr/local/etc/nginx/sites-enabled/*.conf
 …
 
sites-available/mailman.conf[Bearbeiten]
server {
    listen         443;
    server_name     lists.kss-sachsen.de;
    access_log /var/log/httpd_lists-access.log combined;
    error_log /var/log/httpd_lists-error.log;
    root /usr/local/mailman/cgi-bin;
    keepalive_timeout   70;

    add_header           Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"; # 180 Tage
    ssl_certificate     /usr/local/etc/letsencrypt.sh/certs/www.lists.kss-sachsen.de/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt.sh/certs/www.lists.kss-sachsen.de/privkey.pem;
    ssl_dhparam         /usr/local/etc/letsencrypt.sh/certs/www.lists.kss-sachsen.de/dhparam4096.pem;
    ssl_ecdh_curve      secp384r1;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:HIGH:MEDIUM:!RC4:!3DES:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP;
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_trusted_certificate /usr/local/etc/letsencrypt.sh/certs/www.lists.kss-sachsen.de/chain.pem;
    ssl_stapling_verify on;

    ssl_session_timeout 10m;
    ssl_session_cache off;
    ssl_session_tickets on;
    ssl_session_ticket_key /tmp/nginx_ticketkey;

    location /.well-known/acme-challenge {
        root /usr/local/www;
    }
    return         301 https://www.$server_name$request_uri;
}

server { # https only
    listen         80;
    server_name www.lists.kss-sachsen.de lists.kss-sachsen.de;
    return         301 https://www.lists.kss-sachsen.de$request_uri;
}

server {
    listen              443 ssl http2;
    server_name         www.lists.kss-sachsen.de;

    access_log /var/log/httpd_lists-access.log combined;
    error_log /var/log/httpd_lists-error.log;
    root /usr/local/mailman/cgi-bin;
    keepalive_timeout   70;

    add_header           Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"; # 180 Tage
    ssl_certificate     /usr/local/etc/letsencrypt.sh/certs/www.lists.kss-sachsen.de/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt.sh/certs/www.lists.kss-sachsen.de/privkey.pem;
    ssl_dhparam         /usr/local/etc/letsencrypt.sh/certs/www.lists.kss-sachsen.de/dhparam4096.pem;
    ssl_ecdh_curve      secp384r1;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:HIGH:MEDIUM:!RC4:!3DES:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP;
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_trusted_certificate /usr/local/etc/letsencrypt.sh/certs/www.lists.kss-sachsen.de/chain.pem;
    ssl_stapling_verify on;

    ssl_session_timeout 10m;
    ssl_session_cache off;
    ssl_session_tickets on;
    ssl_session_ticket_key /tmp/nginx_ticketkey;

    location /.well-known/acme-challenge {
        root /usr/local/www;
    }
    location = / {
        rewrite ^ /mailman/listinfo permanent;
    }

    location / {
        rewrite ^ /mailman$uri;
    }

    location ~ ^/mailman(/[^/]*)(/.*)?$ {
        fastcgi_split_path_info (^/mailman/[^/]*)(.*)$;
        include fastcgi_params;
        fastcgi_param GATEWAY_INTERFACE CGI/1.1;
        fastcgi_param SCRIPT_FILENAME $document_root$1;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$2;
        fastcgi_pass  unix:/var/run/fcgiwrap/fcgiwrap.sock;
    }

    location /images/mailman {
        alias /usr/local/mailman/icons;
    }

    location /icons {
        alias /usr/local/mailman/icons;
    }

    location /pipermail {
        alias /usr/local/mailman/archives/public;
        autoindex on;
    }
}

Konfiguration mailman[Bearbeiten]

Vorbereitung der Verknüpfung von mailman mit postfix[Bearbeiten]

cd /usr/local/etc/postfix
fetch http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py
mv postfix-to-mailman-2.1.py postfix-to-mailman.py
chmod 750 postfix-to-mailman.py
chown root:mailnull postfix-to-mailman.py
/usr/local/mailman/postfix-to-mailman.py[Bearbeiten]

Pfad zu Python kontrollieren und ggf. berichtigen


#! /usr/local/bin/python

Pfad zu Mailman kontrollieren und ggf. berichtigen


MailmanHome = “/usr/local/mailman“; # Mailman home directory.

Mail-Adresse der administrativen Kräfte ("EigentümerIn") für Mailman eintragen

Es sollte keine Mail-Adresse im Wirkungsbereich von Mailman sein.

MailmanOwner = “postmaster@domain.tld“; # Postmaster and abuse mail recipient.

Setzen eines Passwortes für die Administration der Seite[Bearbeiten]
cd /usr/local/mailman
bin/mmsitepass
New site password: mailman_password
Again to confirm password: mailman_password
Erstellen des Mail-Verteilers mailman[Bearbeiten]
bin/newlist
Enter the name of the list: mailman
Enter the email of the person running the list: you@domain.tld
Initial mailman password: list_password

You’ll then see instructions to add aliases for the mailing list. We need not worry about that because everything
is virtual. So, proceeding… Hit enter to notify mailman owner… ENTER
/usr/local/mailman/Mailman/mm_cfg.py[Bearbeiten]

Festlegung von postfix als MTA


MTA = 'Postfix'

Setzen der Voreinstellung für diesen Server


DEFAULT_SERVER_LANGUAGE = 'de'

Einsetzen von seitenspezifischen Einstellungen


add_virtualhost('lists.domain.tld','lists.domain.tld')
add_virtualhost('domain.tld','domain.tld')
OWNERS_CAN_DELETE_THEIR_OWN_LISTS=YES

Konfiguration postfix[Bearbeiten]

/usr/local/etc/postfix/main.cf[Bearbeiten]

alias_database = hash:/etc/aliases, hash:/etc/<???>
alias_maps = hash:/etc/aliases, hash:/etc/<???>
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailman_destination_recipient_limit = 1
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, lists.$mydomain
mydomain = kss-sachsen.de
myhostname = mail.kss-sachsen.de
mynetworks_style = subnet
mynetworks = <IPS>
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = <IP>
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_relay_restrictions = <???>
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
compatibility_level = 2

/usr/local/etc/postfix/transport[Bearbeiten]

# echo 'lists.domain.tld mailman:' >> /usr/local/etc/postfix/transport
# postmap /usr/local/etc/postfix/transport

/usr/local/etc/postfix/master.cf[Bearbeiten]

mailman unix - n n - - pipe 
 flags=FR user=mailull
 argv=/usr/local/etc/postfix/postfix-to-mailman.py ${nexthop} ${user}

Siehe auch[Bearbeiten]

Weblinks[Bearbeiten]