Simpler server setup

I use my private server setup notes as a cheatsheet occasionally, but below is a simplified version of that, the way I adjusted it to set with a temporary free domain name (from afraid.org, without DNSSEC, so did not set DANE, either), without a secondary DNS server, without mailing lists, with uacme instead of certbot, and without mail submission via Postfix, since mail can be handled either completely over SSH, or Dovecot can handle both IMAP and submission. XMPP is also configured, for textual chats only: without a TURN server, a web interface, or file upload. This time aiming multiple domain names.

Initial setup

In this section we update the system, add users, configure SSH access, optionally set a text editor.

# Check /etc/apt/sources.list
apt update
apt upgrade
apt install sudo emacs-nox
# Add a user
adduser defanor
adduser defanor sudo
su defanor
# The text editor setup is optional
echo 'EDITOR="emacsclient -a emacs -t"' >> .profile
source .profile
echo 'alias em="emacsclient -a emacs -t"' >> .bashrc
source .bashrc
systemctl --user enable --now emacs
# Add SSH keys, configure sshd
mkdir .ssh
$EDITOR .ssh/authorized_keys
sudo -e /etc/ssh/sshd_config
# Ensure "PermitRootLogin no" and "PasswordAuthentication no"
sudo systemctl reload sshd
# Check that logging in as a user and sudo work, lock the root password
sudo passwd -l root
# Set time zone to UTC, locale to C.UTF-8
sudo dpkg-reconfigure tzdata
sudo -e /etc/default/locale

DNS and ACME

We will set knot for DNS and uacme for ACME, run uacme under its own user.

apt install knot knot-dnsutils uacme
sudo keymgr -t uacme hmac-sha512
sudo -e /etc/knot/knot.conf
# A knot.conf example is in the next listing
sudo -e /var/lib/knot/steady.mooo.com.zone
sudo -e /var/lib/knot/beep.boop.ip-dynamic.org.zone
# A zone file example is below
sudo adduser --system uacme
sudo mkdir /etc/ssl/uacme
sudo chown uacme /etc/ssl/uacme
sudo -u uacme uacme -v new
sudo cp /usr/share/uacme/nsupdate.sh /usr/local/bin/uacme-nsupdate.sh
sudo -e /usr/local/bin/uacme-nsupdate.sh
# An uacme-nsupdate.sh adjusted for knot is below
sudo -u uacme -e /etc/ssl/uacme/private/uacme.tsig
# uacme.tsig contains the key produced by keymgr above
sudo chmod 600 /etc/ssl/uacme/private/uacme.tsig
sudo -u uacme uacme -h /usr/local/bin/uacme-nsupdate.sh issue \
  steady.mooo.com '*.steady.mooo.com' \
  beep.boop.ip-dynamic.org '*.beep.boop.ip-dynamic.org'
# Set the same uacme command on cron.daily, followed by "systemctl reload ..."
sudo -e /etc/cron.daily/uacme-cert-update

/etc/knot/knot.conf changes:

--- original_configs/knot.conf  2024-08-29 18:41:48.485534350 +0000
+++ /etc/knot/knot.conf 2024-09-29 12:20:50.446108496 +0000
@@ -5,7 +5,7 @@
     rundir: "/run/knot"
     user: knot:knot
     automatic-acl: on
-    listen: [ 127.0.0.1@53, ::1@53 ]
+    listen: [ 127.0.0.1@53, ::1@53, 89.110.126.39@53 ]
 
 log:
   - target: syslog
@@ -26,7 +26,26 @@
     storage: "/var/lib/knot"
     file: "%s.zone"
 
+key:
+  - id: uacme
+    algorithm: hmac-sha512
+    secret: SECRET_TSIG_KEY
+
+acl:
+  - id: uacme_acl
+    address: [127.0.0.1, ::1]
+    action: update
+    key: uacme
+
 zone:
+  - domain: steady.mooo.com
+    acl: uacme_acl
+    semantic-checks: on
+
+  - domain: beep.boop.ip-dynamic.org
+    acl: uacme_acl
+    semantic-checks: on
+
 #    # Primary zone
 #  - domain: example.com
 #    notify: secondary

A zone file example, /var/lib/knot/steady.mooo.com.zone:

@       10800   SOA     steady.mooo.com. hostmaster.steady.mooo.com. 726 43200 7200 2419200 86400
@       10800   A       89.110.126.39
@       10800   NS      steady.mooo.com.
@       10800   TXT     "v=spf1 a mx ~all"
@       10800   CAA     0 issue "letsencrypt.org;validationmethods=dns-01"
@       10800   MX      10 steady.mooo.com.
_dmarc  10800   TXT     "v=DMARC1; p=quarantine"
_adsp._domainkey        10800   TXT     "dkim=all"
strudel2024._domainkey  10800   TXT     "v=DKIM1; h=sha256; k=rsa; p=KEY_HERE"
_xmpp-client._tcp       10800   SRV     10 5 5222 steady.mooo.com.
_xmpp-server._tcp       10800   SRV     10 5 5269 steady.mooo.com.
_xmpp-server._tcp.chat  10800   SRV     10 5 5269 steady.mooo.com.

The zone file for beep.boop.ip-dynamic.org is similar. Had to use the fourth level domain for it, since cloudns.net serves SOA records itself (not allowing to override those on free plans), so third-level domain name delegation does not quite work.

The uacme-nsupdate.sh hook script adjustments (though it is not suitable for a separate zone for _acme-challenge: the sample script's ns_getdomain procedure would fail to retrieve the domain):

--- /usr/share/uacme/nsupdate.sh        2023-02-15 20:31:43.000000000 +0000
+++ /usr/local/bin/uacme-nsupdate.sh    2024-09-30 11:29:02.484954804 +0000
@@ -21 +21 @@
-NSUPDATE=nsupdate
+NSUPDATE=knsupdate
@@ -29 +29 @@
-RNDC_KEY_NSUPDATE=
+RNDC_KEY_NSUPDATE=/etc/ssl/uacme/private/uacme.tsig
@@ -106 +106,2 @@
-            server ${nameserver}
+            zone ${IDENT}.
+            origin ${IDENT}.
@@ -109,0 +111,4 @@
+
+    # Wait a little, since otherwise somehow Let's Encrypt sees old
+    # records.
+    sleep 5

At this point, we have a working authoritative DNS server and X.509 certificate updates.

WWW

A web server is easy to set now:

sudo apt install nginx
sudo -e /etc/nginx/sites-available/general.conf
sudo ln -s /etc/nginx/sites-available/general.conf /etc/nginx/sites-enabled/

And sample site configuration, steady.mooo.com.conf:

server {
        listen 80;
        listen 443 ssl;
        server_name steady.mooo.com beep.boop.ip-dynamic.org;
        ssl_certificate /etc/ssl/uacme/steady.mooo.com/cert.pem;
        ssl_certificate_key /etc/ssl/uacme/private/steady.mooo.com/key.pem;
        index index.xhtml index.html index.txt;

        location / {
            root   /var/www/general;
        }

        # User directories
        location ~ ^/~([^/]+)(.*)$ {
            alias /home/$1/public_html/$2;
        }

}

Email

Postfix

Setting Postfix with OpenDKIM and SPF Engine first, for a basic mail server.

sudo apt install postfix postfix-policyd-spf-python opendkim opendkim-tools
sudo -u opendkim opendkim-genkey -D /etc/dkimkeys -d steady.mooo.com -s strudel2024
sudo -e /etc/opendkim.conf
# opendkim.conf adjustments are listed below
# Aiming multiple domains, so using keytable and signingtable
sudo tee /etc/dkimkeys/keytable <<EOF
strudel2024 steady.mooo.com:strudel2024:/etc/dkimkeys/strudel2024.private
strudel2024 beep.boop.ip-dynamic.org:strudel2024:/etc/dkimkeys/strudel2024.private
EOF
sudo tee /etc/dkimkeys/signingtable <<EOF
*@steady.mooo.com strudel2024
*@beep.boop.ip-dynamic.org strudel2024
EOF
sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:opendkim /var/spool/postfix/opendkim
sudo systemctl restart opendkim
sudo adduser postfix opendkim
sudo -e /etc/postfix/master.cf
sudo -e /etc/postfix/main.cf
# master.cf and main.cf adjustments are listed below
# Adjust access rules and mail aliases
sudo -e /etc/postfix/postscreen_access.cidr
sudo -e /etc/postfix/client_checks
sudo postmap /etc/postfix/client_checks
sudo -e /etc/postfix/sender_checks
sudo postmap /etc/postfix/sender_checks
sudo -e /etc/aliases
sudo postalias /etc/aliases
sudo systemctl restart postfix

opendkim.conf edits:

--- original_configs/opendkim.conf      2024-08-30 06:36:30.982553576 +0000
+++ /etc/opendkim.conf  2024-08-30 06:38:37.435019550 +0000
@@ -24,0 +25,2 @@
+KeyTable                file:/etc/dkimkeys/keytable
+SigningTable            refile:/etc/dkimkeys/signingtable
@@ -37 +39 @@
-Socket                 local:/run/opendkim/opendkim.sock
+#Socket                        local:/run/opendkim/opendkim.sock
@@ -40 +42 @@
-#Socket                        local:/var/spool/postfix/opendkim/opendkim.sock
+Socket                 local:/var/spool/postfix/opendkim/opendkim.sock

The Postfix's master.cf:

--- original_configs/master.cf  2024-08-30 06:48:45.213250773 +0000
+++ /etc/postfix/master.cf      2024-08-30 07:01:25.308043639 +0000
@@ -12,5 +12,5 @@
-smtp      inet  n       -       y       -       -       smtpd
-#smtp      inet  n       -       y       -       1       postscreen
-#smtpd     pass  -       -       y       -       -       smtpd
-#dnsblog   unix  -       -       y       -       0       dnsblog
-#tlsproxy  unix  -       -       y       -       0       tlsproxy
+#smtp      inet  n       -       y       -       -       smtpd
+smtp      inet  n       -       y       -       1       postscreen
+smtpd     pass  -       -       y       -       -       smtpd
+dnsblog   unix  -       -       y       -       0       dnsblog
+tlsproxy  unix  -       -       y       -       0       tlsproxy
@@ -137,0 +138,4 @@
+
+# SPF with postfix-policyd-spf-python
+policyd-spf  unix  -       n       n       -       0       spawn
+  user=policyd-spf argv=/usr/bin/policyd-spf

And main.cf:

--- original_configs/main.cf    2024-08-30 07:24:12.265070083 +0000
+++ /etc/postfix/main.cf        2024-09-01 16:10:52.553840094 +0000
@@ -27,2 +27,2 @@
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file=/etc/ssl/uacme/steady.mooo.com/cert.pem
+smtpd_tls_key_file=/etc/ssl/uacme/private/steady.mooo.com/key.pem
@@ -37 +37 @@
-myhostname = strudel.uberspace.net
+myhostname = steady.mooo.com
@@ -41 +41 @@
-mydestination = $myhostname, steady.mooo.com, strudel.uberspace.net, localhost.uberspace.net, localhost
+mydestination = $myhostname, steady.mooo.com, beep.boop.ip-dynamic.org, strudel.uberspace.net, localhost
@@ -44 +44,2 @@
-message_size_limit = 0
+message_size_limit = 20971520
+mailbox_size_limit = 1073741824
@@ -48,0 +50,53 @@
+# Store messages in ~/Maildir/
+home_mailbox = Maildir/
+
+# OpenDKIM
+smtpd_milters = unix:opendkim/opendkim.sock
+non_smtpd_milters = $smtpd_milters
+milter_default_action = accept
+internal_mail_filter_classes = bounce
+
+# Postscreen
+postscreen_access_list = permit_mynetworks,
+                         cidr:/etc/postfix/postscreen_access.cidr
+postscreen_blacklist_action = drop
+postscreen_greet_action = drop
+postscreen_pipelining_enable = yes
+postscreen_non_smtp_command_enable = yes
+postscreen_bare_newline_enable = yes
+postscreen_bare_newline_action = enforce
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_sites = zen.spamhaus.org*3
+        b.barracudacentral.org*2
+        bl.spameatingmonkey.net*2
+        bl.spamcop.net
+        dnsbl.sorbs.net
+        psbl.surriel.com
+        bl.mailspike.net
+        list.dnswl.org=127.0.[0..14;16..255].0*-2
+        list.dnswl.org=127.0.[0..14;16..255].1*-3
+        list.dnswl.org=127.0.[0..9;11..14;16..255].[2..3]*-4
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_whitelist_threshold = -1
+
+# Other anti-UCE
+smtpd_helo_required = yes
+disable_vrfy_command = yes
+smtpd_recipient_restrictions =
+        reject_invalid_hostname,
+        reject_non_fqdn_hostname,
+        reject_non_fqdn_sender,
+        reject_non_fqdn_recipient,
+        reject_unknown_sender_domain,
+        reject_unknown_recipient_domain,
+        permit_mynetworks,
+        reject_unauth_destination,
+        check_sender_access hash:/etc/postfix/sender_checks,
+        check_client_access hash:/etc/postfix/client_checks,
+        reject_rbl_client bl.spamcop.net,
+        reject_rbl_client cbl.abuseat.org,
+        check_policy_service unix:private/policyd-spf,
+        permit
+smtpd_data_restrictions =
+                        reject_unauth_pipelining,
+                        permit

At this point, the mail server's core is configured. It can be used with sendmail(1), mail(1) from GNU mailutils (installed with Emacs), or Emacs clients, on the server itself. For instance, with mu4e:

sudo apt install mu4e
mu init --maildir=~/Maildir --my-address=defanor@steady.mooo.com --my-address=defanor@beep.boop.ip-dynamic.org

Then M-x mu4e in Emacs, and it is works for mail reading and composition, without additional configuration. But for external IMAP and SMTP clients, we could set Dovecot.

Dovecot

Now to set IMAP access and submission over SMTP, with Dovecot: sudo apt install dovecot-imapd dovecot-submissiond, then adjust the following three configuration files:

--- original_configs/10-mail.conf       2024-08-30 17:37:12.441632067 +0000
+++ /etc/dovecot/conf.d/10-mail.conf    2024-08-30 16:51:40.139684081 +0000
@@ -29,3 +29,3 @@
 #
-mail_location = mbox:~/mail:INBOX=/var/mail/%u
+mail_location = maildir:~/Maildir
--- original_configs/10-ssl.conf        2024-08-30 17:37:51.361773007 +0000
+++ /etc/dovecot/conf.d/10-ssl.conf     2024-08-30 16:53:20.508051171 +0000
@@ -6 +6 @@
-ssl = yes
+ssl = required
@@ -12,2 +12,2 @@
-ssl_cert = </etc/dovecot/private/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.key
+ssl_cert = </etc/ssl/uacme/steady.mooo.com/cert.pem
+ssl_key = </etc/ssl/uacme/private/steady.mooo.com/key.pem
--- original_configs/20-submission.conf 2024-08-30 17:31:46.480451752 +0000
+++ /etc/dovecot/conf.d/20-submission.conf      2024-08-30 18:01:07.070829241 +0000
@@ -45 +45 @@
-#submission_relay_host =
+submission_relay_host = localhost
@@ -52 +52 @@
-#submission_relay_trusted = no
+submission_relay_trusted = yes

Reload the service, and it should work. Can be set with Emacs mail clients, but here is a basic mutt configuration (~/.muttrc) that works with this setup:

set folder=imaps://defanor@steady.mooo.com/
set spoolfile=+INBOX
mailboxes +INBOX

set record = +Sent
set realname=defanor
set from=defanor@steady.mooo.com
set smtp_url=smtp://defanor@steady.mooo.com:587/
set ssl_starttls=yes
unset smtp_pass

XMPP

A basic XMPP setup here, just for textual chats.

sudo apt install prosody
sudo rm /etc/prosody/conf.d/localhost.cfg.lua
sudo -e /etc/prosody/prosody.cfg.lua
sudo chgrp ssl-cert /etc/ssl/uacme/private/{,steady.mooo.com/{,key.pem}}
sudo chmod g+r /etc/ssl/uacme/private/steady.mooo.com/key.pem
sudo chmod g+rx /etc/ssl/uacme/private/{,steady.mooo.com/}
sudo adduser prosody ssl-cert
sudo prosodyctl restart
sudo prosodyctl adduser defanor@steady.mooo.com

And the configuration adjustments:

--- original_configs/prosody.cfg.lua    2024-08-31 19:47:49.024239057 +0000
+++ /etc/prosody/prosody.cfg.lua        2024-08-31 21:02:37.783514208 +0000
@@ -24 +24 @@
-admins = { }
+admins = { "defanor@steady.mooo.com" }
@@ -65 +65 @@
-               --"mam"; -- Store recent messages to allow multi-device synchronization
+               "mam"; -- Store recent messages to allow multi-device synchronization
@@ -199,2 +199,2 @@
-       info = "/var/log/prosody/prosody.log";
-       error = "/var/log/prosody/prosody.err";
+       -- info = "/var/log/prosody/prosody.log";
+       -- error = "/var/log/prosody/prosody.err";
@@ -202 +202 @@
-       { levels = { "error" }; to = "syslog";  };
+       { levels = { "info" }; to = "syslog";  };
@@ -233,3 +233,5 @@
-VirtualHost "localhost"
--- Prosody requires at least one enabled VirtualHost to function. You can
--- safely remove or disable 'localhost' once you have added another.
+VirtualHost "steady.mooo.com"
+ssl = {
+  certificate = "/etc/ssl/uacme/steady.mooo.com/cert.pem";
+  key = "/etc/ssl/uacme/private/steady.mooo.com/key.pem";
+}
@@ -245,2 +247,2 @@
----Set up a MUC (multi-user chat) room server on conference.example.com:
---Component "conference.example.com" "muc"
+---Set up a MUC (multi-user chat) room server on chat.steady.mooo.com:
+Component "chat.steady.mooo.com" "muc"
@@ -248 +250 @@
---modules_enabled = { "muc_mam" }
+modules_enabled = { "muc_mam" }

nftables and fail2ban

To reduce spam in the logs:

apt install fail2ban
sudo -e /etc/fail2ban/jail.local
sudo systemctl restart fail2ban

A jail.local example from the old notes works, but with backend = systemd in the DEFAULT section, now that there are no traditional textual log files by default.

Likewise with nftables: I took the old nftables configuration, only slightly adjusting it.