linux

Toggle view

Enable Dovecot SSL

2010/01/19 in Blog - Leave a reply

/etc/dovecot/dovecot.conf requires these settings

ssl_disable = no
ssl_cert_file = /etc/ssl/certs/certificate.pem
ssl_key_file = /etc/ssl/private/key.pem

The certificate and key must be created before either using the dovecot tools or the way I’m describing that in-depth.

SASL + Postfix with Debian Lenny

2010/01/19 in Blog - 2 Comments

In the last days I have reinstalled a mail server on a new virtual host and upgraded from debian etch to Lenny. The initial set was done by a friend of mine following this instructions. With the upgrade to Lenny however a few adjustments were required. So I describe the new setup here.

Read more

Create a server certificate with OpenSSL

2009/11/02 in Blog - 2 Comments

A long time ago I had created some certificate for my mail server. Very recently it expired so I had to renew it now.
Back then I had used 2 quite complex OpenSSL commands that I found @ some blog.

# create key + csr (-nodes == key is not encrypted)
openssl req -new -nodes -newkey rsa:1024 -keyout domain.key.pem -out domain.csr.pem
# create certificate (self signed)
openssl x509 -req -days 365 -in domain.csr.pem -signkey domain.key.pem -out domain.crt.pem

I had documented them somewhere but when I looked at them again, it was like “don’t know what’s going on here”! So I tried to break them up into multiple steps. Also I came up with some naming convention since quite a few file are created during the whole process.

A key file is using the file suffix .key.pem, a certificate signing request uses .csr.pem and a certificate .crt.pem .
And the filename would always be prefixed with the domain name. E.g. for domain google.com a key file would be google.com.key.pem .

Prepare for creating certificates

1. Create a certificate authority

For convenience before using OpenSSL I would set up a certificate authority (CA) with a key file and a certificate file. Assuming that OpenSSL is already installed I configure some defaults in /etc/ssl/openssl.cnf .

[ CA_default ]
dir                = /etc/ssl              # Where everything is kept
certificate      = $dir/private/cacert.pem       # The CA certificate
private_key    = $dir/private/cakey.pem   # The private key
...
[ req_distinguished_name ]
...

And we create a few files/directories in /etc/ssl:

echo 01>/etc/ssl/serial
touch /etc/ssl/index.txt
mkdir /etc/ssl/newcerts

The execution of the next OpenSSL command will create the CA files and prompt for some input. Note that here for common name it is sufficient to use your real name. Finally we make the key file readable for root only.

openssl req -new -x509 -newkey rsa:2048 -keyout /etc/ssl/private/cakey.pem -out /etc/ssl/private/cacert.pem -days 730

chmod 600 /etc/ssl/private/cakey.pem

Ok here we go: these are the steps to create a certificate

2. Create a key for the server certificate

openssl genrsa -out domain.key.pem -aes128 2048 -days 730

That creates a password phrase protected key file. However since it so not fun to be prompted during server startup we remove the password phrase again.

openssl rsa -in domain.key.pem -out domain.key.pem

It actually would be better to safe the password protected key to some safe location before and creating the unprotected using a new file name!!!

Create a certificate signing request (CSR) and have a CA sign it

1. Create certificate signing request (CSR)

openssl req -new -key domain.key.pem -out domain.csr.pem -nodes

That creates a csr that later must be signed by a certificate authority (CA). It is of importance that here we have to use the full domain name of the server for the common name. Otherwise the client would not accept that certificate.

2. Have a CA sign the certificate signing request

A CA now has to sign the request. Either you contact one of the official authorities (like Thawte) and pay lots of bucks or you use the CA you created in the beginning (as we show now).

openssl ca -in domain.csr.pem -notext -out domain.crt.pem

3. Install certificate

First move the certificate to /etc/ssl/certs and move the key file to /etc/ssl/private. Make sure that only root can read the key files.

Finally you need to install your certificates which depends on the product you are using. Maybe I will write a blog entry on how to install a certificate for a mail provider or Apache web server later on.

Roundcube web mail

2009/10/18 in Blog - Leave a reply

I have been following the roundcube webmail project since version 0.1. Back then it was quite cumbersome to install on a Linux host. With 0.3 installation has turned into a cakewalk so I decided to try it now.

I only needed to update my PHP4 to PHP5, unpacked the installation package to the web root for the virtual host I created for roundcube, created a new mysql database and started the installation procedure.

Though it is still only a 0.3 version it has quite some impressive set of features. Of course due to its Web 2.0 nature it is a little bit slower than squirrel mail that I used earlier!

My virtual host administration

2009/05/31 in Blog - Leave a reply

For more than a year I have been running my own virtual host (thanks to Tom for helping with the setup of the mail system). Before I had almost no skills regarding Linux administration. Meanwhile I’m kindof able to maintain it and add this and that. For a while a few tasks have been pending

  1. Frequent logging file reports
  2. Monthly backup
  3. Moving backup files to some external storage service

Due to my pretty constrained time budget only now I was able to spend some hours on getting some task done.

For Frequent logging file reports I added logwatch to my system, customized it in /etc/logwatch/conf/logwatch.conf.

# Default person to mail reports to.  Can be a local account or a
# complete email address.
MailTo = recipient@domain
# Default person to mail reports from.  Can be a local account or a
# complete email address.
MailFrom = Logwatch

# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = No

I added logwatch to my daily cron jobs in /etc/cron.daily/logwatch

test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0
/usr/share/logwatch/scripts/logwatch.pl

I added a /etc/cron.monthly/backup script for performing monthly backups of important system files

outputFolder=/var/tmp/backup
now=`date +%Y%m%d%H%M`
hostname=`hostname`
outputFolder=$outputFolder/$hostname/$now

if [ -d $outputFolder ]
then
        echo "Backup has alread run on '$hostname'  for '$now'"
        exit 1
else
        mkdir --parents --verbose $outputFolder
fi

echo backup...
options=-cvvz
tar $options --file=$outputFolder/backup.tar.gz --exclude=/var/cache/* --exclude=/var/spool/* --exclude=/var/lock/* --exclude=/var/run/* --exclude=/var/tmp/* --exclude=/var/log/* /var /etc /home 1>$outputFolder/backup.log

echo "Backup for $hostname ready at $outputFolder/backup.tar.gz" | mail -s "Backup completed for $hostname `date`" recipient@domain

ubuntu hardy sudo returns "unable to resolve host"

2008/07/15 in Blog - Leave a reply

Today I tried to to a major upgrade of my local ubuntu based server. I hadn’t done this in a while. When starting update-manager it got stuck and refused to download any upgrades.
So I first attempted to run aptitude to get around. But as soon the I needed to sudo I got this nasty “unable to resolve host ” error. So basically coulddn’t get any permissions to make changes to the system.

I found this bug which explains wht’s going on. I don’t know how it happened but my /etc/hosts file contained an invalid hostname. I was able to start the network-admin panel (strangely here sudo-ing worked, I was prompted for the password) and fixed the hostname.

green red blue grey