912
Comment: "hcoop works on jessie" proves to be half of a lie
|
3830
crazy idea: storing files generated by domtool for exim inone directory might make sense
|
Deletions are marked like this. | Additions are marked like this. |
Line 2: | Line 2: |
== The Ugly == ServerDeleuze decided to start dying one day so a few evils were committed in moving services. === Exim === Installed `exim4-daemon-heavy procmail spf-tools-perl`, merged deleuze's config onto the current Debian base exim4 config. No config package has been created. History is lost from deleuze at the moment (diff -ur ...). Added /etc/ferm/service.d/... ==== Exim Notes ==== Blockers: * WTF is up with conf.d/30_exim4_examples hcoop_plain + hcoop_login drivers? Are we using sasldaemon for auth?! * Running on deleuze with args: `saslauthd -a pam -c -n 5` * {{{ account sufficient pam_unix.so account required pam_ldap.so account required pam_krb5.so debug}}} * Can users not in slapd actually not send mail? Doesn't seem like it, I can send mail fine when slapd isn't running. * Delivery to mailman not on localhost does not work. Need a condition for checking if we are the mailman host, and using something like remote_smtp_smarthost to relay to the mailman host if needed (which is for now with deleuze). * I think `conf.d/router/470_exim4-config_mailman` is the right place (set a different transport if we are not the mailman host) Things that need review in the config: * `dc_other_hostnames`, `dc_relay_nets`, `unix_domains` look like they could be unified, simplifying the config * DomTool overrides `local_domains`, and we replace `local_domains` with `unix_domains` almost everywhere. domtool should probably generate another domainlist, and we should modify the few places where we need to check user hosted domains (idea for a descriptive name: `hosted_domains`). * I think we're doing sender verification wrong * Do we want to check `CHECK_RCPT_DOMAIN_DNSBLS` in addition to `IP_DNSBLS`? * Load limits do not appear to cause major problems, but review them because they were made for when deleuze was seriously overloaded * Similarly, retry/30_exim4_config has weird retry times because afs used to time out on deleuze from overloaded. Revisit. * We gain tokens in various places by setting an arbitrary environment variable and using side effects of `$run{}`. There has got to be a better way to grab afs tokens when needed. * Domtool created files in /etc/ (aliases.hosted + wildcard), /etc/exim4, ... perhaps move all domtool generated files into one directory to help make it immediately obvious what is generated by domtool? All of the files generated by domtool have their paths configured in the exim config afaict. Misc Changes from Debian: * /etc/mailname to hcoop.net * We drop rather than warn for domains in `CHECK_RCPT_IP_DNSBLS` Major changes of note from deleuze: * SPF checking will deny and not just warn * DKIM checking is on * `dev_null` router not included (unused) * `trouble_user` logic not included (one time problem, years ago...) * Using official hcoop cert |
|
Line 5: | Line 53: |
* test fail2ban before deploying * Defaults look OK for protecting ssh, but is ferm resetting rules added by fail2ban? |
* Fix fail2ban * ferm resets rules ever time it reloads. Add a ferm hook to reload fail2ban on firewall reload |
mccarthy.hcoop.net is our first Debian Jessie VM, and is intended to run mail services and the member portal.
1. The Ugly
ServerDeleuze decided to start dying one day so a few evils were committed in moving services.
1.1. Exim
Installed exim4-daemon-heavy procmail spf-tools-perl, merged deleuze's config onto the current Debian base exim4 config. No config package has been created. History is lost from deleuze at the moment (diff -ur ...).
Added /etc/ferm/service.d/...
1.1.1. Exim Notes
Blockers:
- WTF is up with conf.d/30_exim4_examples hcoop_plain + hcoop_login drivers? Are we using sasldaemon for auth?!
Running on deleuze with args: saslauthd -a pam -c -n 5
account sufficient pam_unix.so account required pam_ldap.so account required pam_krb5.so debug
- Can users not in slapd actually not send mail? Doesn't seem like it, I can send mail fine when slapd isn't running.
- Delivery to mailman not on localhost does not work. Need a condition for checking if we are the mailman host, and using something like remote_smtp_smarthost to relay to the mailman host if needed (which is for now with deleuze).
I think conf.d/router/470_exim4-config_mailman is the right place (set a different transport if we are not the mailman host)
Things that need review in the config:
dc_other_hostnames, dc_relay_nets, unix_domains look like they could be unified, simplifying the config
DomTool overrides local_domains, and we replace local_domains with unix_domains almost everywhere. domtool should probably generate another domainlist, and we should modify the few places where we need to check user hosted domains (idea for a descriptive name: hosted_domains).
- I think we're doing sender verification wrong
Do we want to check CHECK_RCPT_DOMAIN_DNSBLS in addition to IP_DNSBLS?
- Load limits do not appear to cause major problems, but review them because they were made for when deleuze was seriously overloaded
- Similarly, retry/30_exim4_config has weird retry times because afs used to time out on deleuze from overloaded. Revisit.
We gain tokens in various places by setting an arbitrary environment variable and using side effects of $run{}. There has got to be a better way to grab afs tokens when needed.
- Domtool created files in /etc/ (aliases.hosted + wildcard), /etc/exim4, ... perhaps move all domtool generated files into one directory to help make it immediately obvious what is generated by domtool? All of the files generated by domtool have their paths configured in the exim config afaict.
Misc Changes from Debian:
- /etc/mailname to hcoop.net
We drop rather than warn for domains in CHECK_RCPT_IP_DNSBLS
Major changes of note from deleuze:
- SPF checking will deny and not just warn
- DKIM checking is on
dev_null router not included (unused)
trouble_user logic not included (one time problem, years ago...)
- Using official hcoop cert
2. Setup Issues
- Fix fail2ban
- ferm resets rules ever time it reloads. Add a ferm hook to reload fail2ban on firewall reload
sudo $command > file does not work, piping does however. Probably a new sudo option to detect output redirection and squelch output.
- systemd work:
- domtool unit files seem to work OK so far
- ferm is likely starting earlier than it should be, and may fail if the generated config references any pts users
dnscache-run starts very late by virtue of daemontools starting late. Either hack daemontools to be WantedBy=nss-lookup.target (systemd equiv of LSB $named service), or make dnscache-run a native systemd service.
- Hacked momentarily by adding Google DNS servers as backups