From ce1cefe511acf47475bac4f0609c6ebd53e2d002 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Thu, 6 Jun 2024 14:06:55 +0200 Subject: [PATCH] Add more dependecies and DNS records --- README.md | 46 ++++++++++++++++++++++++++++- etc/nginx/sites-enabled/mta-sts | 12 ++++---- etc_clearnet_proxy/nginx/nginx.conf | 2 +- install_binaries.sh | 12 ++++++++ install_binaries_proxy.sh | 11 ++++++- 5 files changed, 74 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 64f17f1..ea061d9 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ sed -i "s/danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/`cat /v Replace the default clearnet domain with your domain: ``` -sed -i "s/danwin1210.de/YOUR_DOMAIN/g" /etc/prosody/prosody.cfg.lua /etc/postfix/main.cf /etc/dovecot/dovecot.conf /etc/nginx/sites-enabled/mail /etc/nginx/sites-enabled/openpgpkey /var/www/mail/common_config.php +sed -i "s/danwin1210.de/YOUR_DOMAIN/g" /etc/prosody/prosody.cfg.lua /etc/postfix/main.cf /etc/dovecot/dovecot.conf /etc/nginx/sites-enabled/* /var/www/mail/common_config.php ``` Create a mysql users and databases: @@ -75,6 +75,8 @@ rspamadm dkim_keygen -d YOUR_DOMAIN -s $(date +"%Y%m%d")-rsa -b 4096 -t rsa -k / rspamadm dkim_keygen -d YOUR_DOMAIN -s $(date +"%Y%m%d")-ed25519 -t ed25519 -k /var/lib/rspamd/dkim/YOUR_DOMAIN-ed25519 ``` +Create a password used for your TURN server and replace all `YOUR_SECRET` in `/etc/prosody/prosody.cfg.lua` with it. + Install [acme.sh](https://github.com/acmesh-official/acme.sh) or [certbot](https://certbot.eff.org/) to obtain a free letsencrypt SSL certificate, then update the path to this new certificate in the following files: ``` nano /etc/prosody/prosody.cfg.lua /etc/dovecot/dovecot.conf /etc/postfix/main.cf /etc/nginx/nginx.conf /etc/nginx/sites-enabled/mail /etc/nginx/sites-enabled/openpgpkey @@ -115,6 +117,13 @@ Install files and programs Copy (and modify according to your needs) the site files in `etc_clearnet_proxy` to `/etc` after installation has finished. +Add the password for your TURN server you created for prosody in the main server and replace `YOUR_AUTH_SECRET` in `/etc/turnserver.conf` with it. + +Install [acme.sh](https://github.com/acmesh-official/acme.sh) or [certbot](https://certbot.eff.org/) to obtain a free letsencrypt SSL certificate, then update the path to this new certificate in the following files: +``` +nano /etc/postfix/main.cf /etc/nginx/nginx.conf /etc/turnserver.conf +``` + ### General Domain settings @@ -122,7 +131,42 @@ Add the following DNS records to your domain, with the IPs of your proxy server: ``` @ IN TXT "v=spf1 ip4:your.ip.v4.address ip6:your:ip:v6:address -all" _dmarc IN TXT "v=DMARC1;p=quarantine;adkim=r;aspf=r;fo=1;rua=mailto:postmaster@yourdomain;ruf=mailto:postmaster@yourdomain;rf=afrf;ri=86400;pct=100" +_adsp._domainkey IN TXT "dkim=all;" +_domainkey IN TXT "o=-;r=postmaster@yourdomain" +*._report._dmarc IN TXT "v=DMARC1" +_mta-sts IN TXT "v=STSv1; id=2024060601" +_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@yourdomain" +_imaps._tcp IN SRV 0 0 993 yourdomain. +_submission._tcp IN SRV 0 0 465 yourdomain. @ IN MX 0 yourdomain. +@ IN A your.ip.v4.address +@ IN AAAA your:ip:v6:address +www IN A your.ip.v4.address +www IN AAAA your:ip:v6:address +mta-sts IN A your.ip.v4.address +mta-sts IN AAAA your:ip:v6:address +conference IN A your.ip.v4.address +conference IN AAAA your:ip:v6:address +proxy IN A your.ip.v4.address +proxy IN AAAA your:ip:v6:address +upload IN A your.ip.v4.address +upload IN AAAA your:ip:v6:address +_xmpp-server._tcp.conference IN SRV 5 0 5269 yourdomain. +_xmpp-server._tcp.conference IN SRV 0 0 5269 your_onion_domain. +_xmpp-client._tcp IN SRV 5 0 5222 yourdomain. +_xmpp-client._tcp IN SRV 0 0 5222 your_onion_domain. +_xmpps-client._tcp IN SRV 5 0 5223 yourdomain. +_xmpps-client._tcp IN SRV 0 0 5223 your_onion_domain. +_xmpp-server._tcp IN SRV 5 0 5269 yourdomain. +_xmpp-server._tcp IN SRV 0 0 5269 your_onion_domain. +_stun._udp IN SRV 0 0 3478 yourdomain. +_turn._udp IN SRV 0 0 3478 yourdomain. +_stun._tcp IN SRV 0 0 3478 yourdomain. +_stuns._tcp IN SRV 0 0 3479 yourdomain. +_turn._tcp IN SRV 0 0 3478 yourdomain. +_turns._tcp IN SRV 0 0 5349 yourdomain. +_xmppconnect IN TXT "_xmpp-client-xbosh=https://yourdomain:5281/http-bind" +_xmppconnect IN TXT "_xmpp-client-websocket=wss://yourdomain:5281/xmpp-websocket" ``` Set the PTR record of your proxy servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket. diff --git a/etc/nginx/sites-enabled/mta-sts b/etc/nginx/sites-enabled/mta-sts index 3192b87..daf2c88 100644 --- a/etc/nginx/sites-enabled/mta-sts +++ b/etc/nginx/sites-enabled/mta-sts @@ -1,12 +1,12 @@ server { - listen [::]:443 ssl http2; - server_name mta-sts.danwin1210.de; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + listen [::]:443 ssl http2; + server_name mta-sts.danwin1210.de; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; - location / { - return 404; - } + location / { + return 404; + } location = /.well-known/mta-sts.txt { default_type text/plain; return 200 "version: STSv1 diff --git a/etc_clearnet_proxy/nginx/nginx.conf b/etc_clearnet_proxy/nginx/nginx.conf index 061d63b..0e822ec 100644 --- a/etc_clearnet_proxy/nginx/nginx.conf +++ b/etc_clearnet_proxy/nginx/nginx.conf @@ -110,7 +110,7 @@ stream { ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:secp256k1; ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384; ssl_session_cache shared:SSLSTREAM:10m; - ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_dhparam /etc/nginx/dh4096.pem; #smtp diff --git a/install_binaries.sh b/install_binaries.sh index 8829f34..d50829c 100755 --- a/install_binaries.sh +++ b/install_binaries.sh @@ -76,9 +76,21 @@ cd /var/www/mail/www/snappymail VERSION=$(curl -s https://api.github.com/repos/the-djmaze/snappymail/releases/latest | grep tag_name | cut -d '"' -f 4) wget https://github.com/the-djmaze/snappymail/releases/download/${VERSION}/snappymail-${VERSION:1}.zip unzip -o snappymail-${VERSION:1}.zip +rm snappymail-${VERSION:1}.zip mkdir -p /var/local/snappymail chown www-data:www-data -R /var/local/snappymail +# install converse.js +rm -rf /srv/conversejs +mkdir -p /srv/conversejs +cd /srv/conversejs +VERSION=$(curl -s https://api.github.com/repos/conversejs/converse.js/releases/latest | grep tag_name | cut -d '"' -f 4) +wget https://github.com/conversejs/converse.js/releases/download/${VERSION}/converse.js-${VERSION:1}.tgz +tar xzf converse.js-${VERSION:1}.tgz --strip-components=1 +rm converse.js-${VERSION:1}.tgz + +rm -f /etc/nginx/sites-enabled/default + # install prosody modules if [ ! -e /srv/prosody-modules ]; then hg clone https://hg.prosody.im/prosody-modules/ /srv/prosody-modules diff --git a/install_binaries_proxy.sh b/install_binaries_proxy.sh index e8298f2..7ad6ff0 100755 --- a/install_binaries_proxy.sh +++ b/install_binaries_proxy.sh @@ -5,4 +5,13 @@ export LANG=C.UTF-8 export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin" # install all required packages DEBIAN_FRONTEND=noninteractive apt-get update -DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver rng-tools5 vim wget wireguard wireguard-tools +DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libnginx-mod-stream libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver rng-tools5 vim wget wireguard wireguard-tools + +# dhparams +for file in /etc/nginx/dh4096.pem; do + if [ ! -e "$file" ]; then + openssl dhparam -out "$file" 4096 + fi +done + +rm -f /etc/nginx/sites-enabled/default