Make use of snakeoil certificates in default configuration files

README.md

@@ -22,7 +22,7 @@ rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
 Install git and clone this repository
 
 ```
-apt-get update && apt-get install git && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
+apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
 ```
 
 Install files and programs
@@ -32,7 +32,7 @@ Install files and programs
 
 Copy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services:
 ```
-systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service
+systemctl daemon-reload && systemctl restart tor@default.service
 ```
 
 Replace the default .onion domain with your domain:
@@ -90,7 +90,30 @@ To send emails to the regular internet, it is necessary to have a static IP to r
 
 ### Proxy server:
 
-TODO
+Uninstall packages that may interfere with this setup:
+```
+DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
+```
+
+If you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google)
+
+```
+rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
+```
+
+Install git and clone this repository
+
+```
+apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
+```
+
+Install files and programs
+```
+./install_binaries_proxy.sh
+```
+
+Copy (and modify according to your needs) the site files in `etc_clearnet_proxy` to `/etc` after installation has finished.
+
 
 ### General Domain settings
 
@@ -101,7 +124,7 @@ _dmarc    IN    TXT "v=DMARC1;p=quarantine;adkim=r;aspf=r;fo=1;rua=mailto:postma
 @	IN	MX	0 yourdomain.
 ```
 
-Set the PTR record of your servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket.
+Set the PTR record of your proxy servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket.
 
 Consider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery.
 

etc/dovecot/dovecot.conf

@@ -47,8 +47,8 @@ auth_mechanisms = plain login
 
 #TLS parameters
 ssl = required
-ssl_cert = </etc/acme.sh/danwin1210.de_ecc/fullchain.cer
-ssl_key = </etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
+ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
+ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 ssl_client_ca_dir = /etc/ssl/certs
 ssl_dh = </etc/dovecot/dh.pem
 ssl_min_protocol = TLSv1.2

etc/nginx/nginx.conf

@@ -4,6 +4,7 @@ pid /run/nginx.pid;
 pcre_jit on;
 worker_rlimit_nofile 30000;
 worker_shutdown_timeout 1m;
+include /etc/nginx/modules-enabled/*.conf;
 
 events {
 	worker_connections 7680;
@@ -51,8 +52,8 @@ http {
 	ssl_early_data off;
 	ssl_stapling on;
 	ssl_stapling_verify on;
-	ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
-	ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 	ssl_dhparam /etc/nginx/dh4096.pem;
 
 	##

etc/nginx/sites-enabled/mail

@@ -51,8 +51,8 @@ server {
 	add_header Cross-Origin-Opener-Policy same-origin always;
 	add_header Cross-Origin-Resource-Policy same-origin always;
         listen [::]:443 ssl proxy_protocol http2;
-	ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
-	ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 	root /var/www/html;
 	index index.php;
 	server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;

etc/nginx/sites-enabled/openpgpkey

@@ -16,6 +16,6 @@ server {
 		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
 		expires off;
 	}
-	ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
-	ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 }

etc/postfix/main.cf

@@ -24,8 +24,8 @@ compatibility_level = 3.6
 smtputf8_autodetect_classes = all
 
 # TLS parameters
-smtpd_tls_cert_file = /etc/acme.sh/danwin1210.de_ecc/fullchain.cer
-smtpd_tls_key_file = /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_ciphers = HIGH
 smtpd_tls_mandatory_ciphers = HIGH
 smtp_tls_ciphers = HIGH

etc/prosody/prosody.cfg.lua

@@ -124,8 +124,8 @@ pidfile = "/run/prosody/prosody.pid";
 -- Force clients to use encrypted connections? This option will
 -- prevent clients from authenticating unless they are using encryption.
 ssl = {
-	key = "/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key";
-	certificate = "/etc/acme.sh/danwin1210.de_ecc/fullchain.cer";
+	key = "/etc/ssl/private/ssl-cert-snakeoil.key";
+	certificate = "/etc/ssl/certs/ssl-cert-snakeoil.pem";
 	dhparam = "/etc/prosody/dh4096.pem";
 	curve = "X448:X25519:secp521r1:secp384r1:secp256k1";
 	ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!RSA:!PSK:!SRP:!3DES:!aNULL:!SHA:!MD5:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256";

etc_clearnet_proxy/nginx/nginx.conf

@@ -4,6 +4,7 @@ pid /run/nginx.pid;
 pcre_jit on;
 worker_rlimit_nofile 30000;
 worker_shutdown_timeout 1m;
+include /etc/nginx/modules-enabled/*.conf;
 
 events {
 	worker_connections 20000;
@@ -50,8 +51,8 @@ http {
 	ssl_early_data off;
 	ssl_stapling on;
 	ssl_stapling_verify on;
-	ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
-	ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 	ssl_dhparam /etc/nginx/dh4096.pem;
 
 	##
@@ -119,8 +120,8 @@ stream {
 	ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:secp256k1;
 	ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
 	ssl_session_cache shared:SSLSTREAM:10m;
-	ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
-	ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 	ssl_dhparam /etc/nginx/dh4096.pem;
 	#smtp
 	server {

etc_clearnet_proxy/postfix/main.cf

@@ -15,8 +15,8 @@ readme_directory = no
 compatibility_level=3.6
 
 # TLS parameters
-smtpd_tls_cert_file=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
-smtpd_tls_key_file=/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtpd_tls_ciphers = HIGH

etc_clearnet_proxy/turnserver.conf

@@ -457,7 +457,7 @@ realm=danwin1210.de
 # Use PEM file format.
 #
 #cert=/usr/local/etc/turn_server_cert.pem
-cert=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
+cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
 
 # Private key file.
 # Use an absolute path or path relative to the
@@ -465,7 +465,7 @@ cert=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
 # Use PEM file format.
 #
 #pkey=/usr/local/etc/turn_server_pkey.pem
-pkey=/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
+pkey=/etc/ssl/private/ssl-cert-snakeoil.key
 
 # Private key file password, if it is in encoded format.
 # This option has no default value.

install_binaries.sh

@@ -8,7 +8,7 @@ workingdir=$(pwd)
 
 # install all required packages
 DEBIAN_FRONTEND=noninteractive apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git gnupg haveged iptables libsasl2-modules locales locales-all logrotate lsb-release mariadb-server mercurial nano nginx openssl php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-mysql php8.2-pspell php8.2-readline postfix postfix-mysql prosody redis rspamd tor vim wget unzip brotli wireguard wireguard-tools
+DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git gnupg haveged iptables libnginx-mod-http-brotli-filter libsasl2-modules locales locales-all logrotate lsb-release lua-dbi-mysql lua-event mariadb-server mercurial nano nginx openssl php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-mysql php8.2-pspell php8.2-readline postfix postfix-mysql prosody redis rng-tools5 rspamd tor vim wget unzip wireguard wireguard-tools
 
 # install composer
 curl -sSL https://github.com/composer/composer/releases/download/2.7.6/composer.phar > /usr/bin/composer
@@ -32,10 +32,17 @@ if [ ! -e /etc/postfix/danwin1210-mail.chain ]; then
 	openssl req -x509 -nodes -days 3650 -newkey ed448 -subj "/" -keyout /etc/postfix/danwin1210-mail.key -out /etc/postfix/danwin1210-mail.crt && cat /etc/postfix/danwin1210-mail.key >> /etc/postfix/danwin1210-mail.chain && cat /etc/postfix/danwin1210-mail.crt >> /etc/postfix/danwin1210-mail.chain
 fi
 
-# Nginx
-if [ ! -e /etc/nginx/dh4096.pem ]; then
-	openssl dhparam -out /etc/nginx/dh4096.pem 4096
-fi
+# dhparams
+for file in /etc/nginx/dh4096.pem /etc/dovecot/dh.pem /etc/prosody/dh4096.pem; do
+	if [ ! -e "$file" ]; then
+		openssl dhparam -out "$file" 4096
+	fi
+done
+
+# vmail user
+id -u vmail > /dev/null 2>&1 || (groupadd -g 5000 -r vmail && useradd -g 5000 -M -r -s /bin/false -u 5000 vmail -d /var/mail/vmail)
+mkdir -p /var/mail/vmail
+chown vmail: /var/mail/vmail
 
 #install scripts
 mkdir -p /var/www/mail
@@ -72,6 +79,14 @@ unzip -o snappymail-${VERSION:1}.zip
 mkdir -p /var/local/snappymail
 chown www-data:www-data -R /var/local/snappymail
 
+# install prosody modules
+if [ ! -e /srv/prosody-modules ]; then
+	hg clone https://hg.prosody.im/prosody-modules/ /srv/prosody-modules
+else
+	cd /srv/prosody-modules
+	hg pull --update
+fi
+
 # copy configuration file
 cd $workingdir
 if [ ! -e /var/www/mail/common_config.php ]; then

install_binaries_proxy.sh

@@ -5,4 +5,4 @@ export LANG=C.UTF-8
 export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
 # install all required packages
 DEBIAN_FRONTEND=noninteractive apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver vim wget wireguard wireguard-tools
+DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver rng-tools5 vim wget wireguard wireguard-tools