blog-contributions/opsec/mail/index.html
2024-08-24 16:01:33 +02:00

259 lines
10 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>VPS Mailserver</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-cis navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-cis" href="\index.html">nihilist`s Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="cis2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist - 00 / 00 / 00</ba></p>
<h1>VPS Mailserver </h1>
<p> Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80, 443, 587 and 993 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. </p>
<p>You cannot use DuckDNS for this one because you will need to add specific DNS records, most importantly the MX and DKIM records which are crucial for this tutorial.
Therefore go get an actual paid domain name, i got mine on <a href="https://infomaniak.com">Infomaniak</a> :</p>
<img src="1.png" class="imgRz">
<p>So let's add a subdomain to point at our mail server, to do so you need to go to the DNS Zone settings to add a few entries starting with the MX record:</p>
<img src="2.png" class="imgRz">
<p>Here make sure you do not forget the trailing dot (.) at the end of the Target. Next you want to setup that mail subdomain as well, and to do so you will do
add a CNAME record, that is if your mail server is the SAME as your main server (mail.domain.com == domain.com):
</p>
<img src="3.png" class="imgRz">
<p>In the other case where your mailserver is NOT the same as the main server (mail.domain.com != domain.com) you will need an A record which is going to tell
Which IP to go to in order to reach that mail server:
</p>
<img src="4.png" class="imgRz">
<p>In this case we're going to make it point to our DigitalOcean VPS as usual and once it's done we can simply ssh into it:</p>
<p>EDIT: DIGITALOCEAN IS BLOCKING PORT 25 (SMTP) i have to redo this tutorial on another VPS.</p>
<pre><code class="nim">
[ 192.168.100.1/24 ] [ /dev/pts/8 ] [~]
→ ssh root@mail.void.yt
The authenticity of host 'mail.void.yt (161.35.41.22)' can't be established.
ECDSA key fingerprint is SHA256:AMDSjSs4f3CDvivmjFRjGDjmuz079vsS/A+9hdYi9a0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mail.void.yt,161.35.41.22' (ECDSA) to the list of known hosts.
Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@debian-s-1vcpu-1gb-lon1-01:~#
</code></pre>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="cis3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Initial Configuration </b></h2>
<p>Once you've logged in via SSH, install the following dependencies:</p>
<pre><code class="nim">
apt install nginx socat curl -y
</code></pre>
<p>Once that's done, download the nginx config and edit it:</p>
<pre><code class="nim">
wget https://blog.nowhere.moe/servers/mail/mail.conf -O /etc/nginx/sites-available/mail.conf
nano /etc/nginx/sites-available/mail.conf
</code></pre>
<p>Make sure you put your own domain name in there:</p>
<img src="6.png" class="imgRz">
<p>Next we're going to get our free TLS certificate by using acme.sh:</p>
<pre><code class="nim">
wget -O - https://get.acme.sh | sh
source ~/.bashrc
systemctl stop nginx
acme.sh --issue --standalone -d mail.void.yt -k 4096
</code></pre>
<p>Once you're done, hit CTRL+S to save, and CTRL+X to exit nano.</p>
<pre><code class="nim">
ln -s /etc/nginx/sites-available/mail.conf /etc/nginx/sites-enabled/mail.conf
nginx -t
systemctl start nginx
</code></pre>
<p>Once you're here, nginx should tell you the configuration is successful, if not, make sure you followed the syntax of the original file. Next we're going to see that our configuration works by browsing to it:</p>
<img src="7.png" class="imgRz">
<p>Here the 404 error is intended, you also see that the website redirects to https (tls 1.3). Now from here we'll simply need to use <a href="https://lukesmith.xyz/">Luke Smith</a>'s <a href="https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh">script</a>:</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="cis2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>The Script</b></h2> </br> </br>
<p></p>
<pre><code class="nim">
cd ~
wget https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh
chmod +x emailwiz.sh
sh emailwiz.sh
</code></pre>
<p>When postfix asks you something, hit "internet site":</p>
<img src="8.png" class="imgRz">
<p>Next postfix is going to ask you the FQDN, make sure you type the domain name, NOT the subdomain:</p>
<img src="9.png" class="imgRz">
<p>Then hit enter, and wait for the script to install postfix and dovecot.
Luke intended this script to be run and to configure postfix and dovecot together. The main feature here is that once you create an user
added to the <b>mail</b> group, it's going make them able to receive and send mail.
</p>
<p>Once the script finished running, we need to go back to our DNS settings to configure DKIM:</p>
<img src="10.png" class="imgRz">
<p>First things first we add the following TXT record:</p>
<img src="11.png" class="imgRz">
<img src="12.png" class="imgRz">
<p> If it doesnt work try out the DKIM option and hit save:</p>
<img src="13.png" class="imgRz">
<p>Next we're going to add DMARC:</p>
<img src="14png.png" class="imgRz">
<img src="15.png" class="imgRz">
<p> And lastly the @ TXT record:</p>
<img src="16.png" class="imgRz">
<img src="17.png" class="imgRz">
<p>Once that's done, save your DNS settings, Create the user ON THE SERVER, and install thunderbird locally:</p>
<pre><code class="nim">
useradd -m -G mail -s /bin/bash someone
passwd someone
</code></pre>
<img src="18.png" class="imgRz">
<p>Then run thunderbird with the user's credentials, make sure you use the manual config tab:</p>
<img src="20.png" class="imgRz">
<p>And welcome to DigitalOcean, where you can't run mail servers lol. I did some research on DO's forums, and i found out that basically
they are blocking port 25 (SMTP) which, in general indicates that they do not allow any mail hosting on their VPS, so for once i am not going to recommend DO
</p>
<img src="21.png" class="imgRz">
<p>TLDR i am incredibly surprised at how difficult it is to setup your own email server. In france, most ISPs simply do not allow port 25 apart from OVH.
Online, both DigitalOcean and Vultr block port 25 to avoid mail spam which makes me wonder where exactly do you even host your mail server.
If anyone knows a particular hosting service that ALLOWS port 25 and other mail-specific ports (993 587 etc) please let me know.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="cisb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://matrix.to/#/#nowheremoe:nowhere.moe">Matrix Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>