Version 5 (modified by 7 years ago) ( diff ) | ,
---|
Schleuder3 setup
| Schleuder is an email hub for groups. It has also been described as a gpg-enabled mailinglist with remailer-capabilities. It is designed to serve as a tool for group communication: subscribers can communicate encrypted (and pseudonymously) among themselves, receive emails from non-subscribers and send emails to non-subscribers via the list.
Schleuder3 has been setup by dkg on herman.mayfirst.org for testing. dkg describes this setup as "a minimally-configured debian stretch machine, using the schleuder and schleuder-cli packages from unstable. I removed basically every package that I could, and configured it entirely with systemd where possible. This means no ifupdown, no cron, no rsyslog, no ntp, no acpid, no isc-dhcp-client, systemd-resolved as a local DNS caching stub resolver, etc."
The following is an attempt to document the steps necessary to recreate the same conditions and configuration currently active in herman. These are not the exact steps and order taken during the original install.
Debian install
Start from an initial install of Debian stretch (currently debian testing) with NONE of the tasksel tasks activated. Make sure to deselect both the standard and ssh-server tasks during install. Login through the console to complete the initial steps manually.
No recommends
Make sure all subsequent package installs with apt default to using the --no-install-recommends preference by adding a line to apt.conf
0 herman:~# echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf
Installing packages
Install the following packages. Some of these packages are essential to the application and others appear to be utilities that were used for debugging during the configuration process of schleuder. It may be possible to reduce this list.
0 herman:~# apt install openssh-server systemd-cron deborphan psmisc postfix tor cryptsetup libpam-systemd initscripts dbus dbus-user-session publicsuffix haveged screen less file lsof man-db manpages acl iputils-ping libcap2-bin bsd-mailx sqlite3 bash-completion
Removing packages
Remove the following unnecessary or undesired packages.
0 herman:~# apt purge rsyslog logrotate cron tasksel installation-report wamerican console-setup keyboard-configuration kbd isc-dhcp-client isc-dhcp-common discover laptop-detect ifupdown dmidecode eject netcat-traditional traceroute usbutils iptables pciutils reportbug os-prober gcc-5-base
The following step is subject to change in the future.
0 herman:~# apt purge linux-image-4.8.0-2-amd64
Autoremove and purge automatically installed packages that are no longer necessary.
0 herman:~# apt autoremove --purge
Purge any orphaned packages. Repeat this next step as many times as necessary until there are no longer any results.
0 herman:~# apt purge $(deborphan)
Install packages from unstable repository
The use of these packages from the unstable repository is subject to change in the future.
Add the unstable repository.
0 herman:~# echo "deb http://ftp.us.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list 0 herman:~# echo -e "Package: *\nPin: release a=unstable\nPin-Priority: 200" >> /etc/apt/preferences.d/limit-unstable 0 herman:~# apt update
Install the unstable version of the following packages. dkg's patch https://bugs.debian.org/851732 to schleuder to avoid a dependency on cron has already been applied in newest unstable releases.
0 herman:~# apt install gnupg/unstable schleuder-cli/unstable schleuder/unstable
At this point the above setup should give us a package list very close to what is on herman now with the exception of the emacs-nox package and its dependencies.
Networking
Since ifupdown has been removed and systemd.network will be used instead. A new .network file should created as /etc/systemd/network/50-static.network
The contents of this file look something like this, although the original ip numbers have been removed here.
[Match] Name=ens3 [Network] Address=XXX.XXX.XXX.XXX/XX Address=XXXX:XXXX:XXXX:XXXX::XXXX/XXXX Gateway=XXX.XXX.XXX.XXX Gateway=XXXX:XXXX:XXXX:XXXX::XXXX DNS=XXX.XXX.XXX.XXX DNS=XXX.XXX.XXX.XXX Domains=mayfirst.org
Notice the interface is not named eth0. The version of Systemd in Debian Stretch now uses | Predictable Network Interface Names , which automatically assigns static names to network devices.
udev is responsible for | which device gets which name .
You can get a list of available network interfaces using commands ls /sys/class/net
or ip link
After creating the new .network file you need to restart systemd-networkd
systemctl restart systemd-networkd
At this point the server should be accessible over ssh.
No logging to disk
When both journald and rsyslog are installed, the default is that journald spits out all its messages to syslog and syslog writes them to disk. Without syslog, journald is responsible for writing whatever needs to be written. See configuration choices for /etc/systemd/journald.conf
with man journald.conf
By default Storage=auto
is set which basically means "if /var/log/journal is present, then write the logs to disk; if it's not, then write them to /run"
note that /run is a tmpfs, meaning it's ephemeral, and disappears when the machine loses power so since we've avoided placing a permanent journal everything is being logged in /run
Some services implement their own mechanisms for writing logs, we need to deal with these individually. The following command will show any processes still holding open files in /var/log
find /var/log/ -mount -type f -print0 | xargs -0 lsof
The only listing that should still appear at this point is the debian-tor user writing to /var/log/tor/log . This can be stopped by uncomment the following line in /etc/tor/torrc
Log notice syslog
Why syslog? syslog is just an interface -- something listening on a socket at /dev/log where journald also listens
After making the above change to /etc/tor/torrc
restart tor.
systemctl restart tor
The tor daemon should log to syslog by default in | future versions so the above fix is temporary.
tmpfs for /tmp
Setup the /tmp directory with temporary file storage facility so that all writes to /tmp are written to volatile memory and not to disk. This has the following benefits:
- Having globally-writable directories in filesystems opens up a few different classes of vulnerabilities and bugs based on hardlinks and undeleted data. Separating the /tmp filesystem from the root filesystem avoids those classes.
- /tmp is expected to be cleared automatically at boot. Using memory as the backing store does that automatically.
- using memory reduces the amount of disk I/O
Add the following line to the end of /etc/fstab
tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0
Postfix
Add these 2 lines to the end of /etc/postfix/master.cf
schleuder unix - n n - - pipe flags=DRhu user=schleuder argv=/usr/bin/schleuder work ${recipient}
This says "if the transport is for schleuder, then pipe the message to a process owned by user "schleuder" that runs "/usr/bin/schleuder work ${recipient}"
In /etc/postfix/main.cf
edit the myhostname and mydestination variables appropriately.
myhostname = herman.mayfirst.org mydestination = $myhostname, herman.mayfirst.org
Then at the bottom of /etc/postfix/main.cf
add the following lines
virtual_transport = schleuder virtual_mailbox_domains = x.mayfirst.org virtual_alias_maps = hash:/etc/postfix/virtual_aliases virtual_mailbox_maps = sqlite:/etc/postfix/schleuder_sqlite.cf schleuder_destination_recipient_limit = 1 compatibility_level = 2
The above portion of the config is devoted to figuring out when to trigger this transport. First: dedicate postfix's "virtual transport" to schleuder itself and tell postfix that anything coming to x.mayfirst.org should be handled by the virtual transport
The contents of the file /etc/postfix/virtual_aliases
is a list of first-pass "catch-all" addresses, forwarding the usual things to their @mayfirst.org counterparts.
postmaster@x.mayfirst.org postmaster@mayfirst.org abuse@x.mayfirst.org abuse@mayfirst.org MAILER-DAEMON@x.mayfirst.org MAILER-DAEMON@mayfirst.org root@x.mayfirst.org root@mayfirst.org
virtual_mailbox_maps is what postfix uses to look up whether an address is valid. If it's not in that list, it declines the message at attempted SMTP delivery time. This directive tells postfix "look up the incoming address to see whether schleuder is willing to handle it; if it is not, then don't even bother feeding it to schleuder". The contents of /etc/postfix/schleuder_sqlite.cf
look like this:
dbpath = /var/lib/schleuder/db.sqlite query = select 'present' where '%s' in ( select email from lists union select replace(email, '@', '-bounces@') from lists union select replace(email, '@', '-owner@') from lists union select replace(email, '@', '-request@') from lists union select replace(email, '@', '-sendkey@') from lists)
The above schleuder/postfix sqlite integration is now | shipping upstream:
In the master.cf this line schleuder_destination_recipient_limit = 1
means, "if a message comes in headed for the schleuder transport and it is headed for multiple recipients, feed it to each of them separately, one at a time." compatibility_level = 2
just disables backwards compatibility.
Schleuder configuration
Lots of useful information in Schleuder3's official documentation.
The following commands and file edits should be performed under the dedicated schleuder user created by the installer.
0 root@herman:~# su - schleuder -s /bin/bash
Schleuder reads its basic settings from a file that it by default expects at /etc/schleuder/schleuder.yml
The only initial change from the default settings that has been made there on herman is to comment out the default keyserver.
#keyserver: pool.sks-keyservers.net
The Schleuder API is provided by schleuder-api-daemon. Configuration clients (schleuder-web, schleuder-cli) use it to access information about lists, subscriptions, and keys. schleuder-api-daemon uses transport encyrption (TLS) for all connections. The required TLS-certifcates should have been generated during the setup (schleuder install) but can be regenerated if necessary by running the following command as schleuder user: schleuder cert generate
In order to verify the connection, each client needs to know the fingerprint of the API-certificate. Execute the following command to receive the fingerprint of the current cert.
schleuder@herman:~$ schleuder cert fingerprint
The Schleuder API uses API-keys to authenticate clients. To enable a client to connect, their API-key must be added to the section valid_api_keys in Schleuder’s configuration file. You can generate new API-keys by executing the following command:
schleuder@herman:~$ schleuder new_api_key
All current schleuder api keys should remain private. Always use secure channels to transport this information.
Add the new api key to file /etc/schleuder/schleuder.yml
below the directive valid_api_keys:
valid_api_keys: - abcdef... - zyxwvu...
Restart the schleuder api daemon as root to apply changes.
0 root@herman:~# systemctl restart schleuder-api-daemon
Dedicated user for schleuder-cli
Create a separate "schleuder-manager" user that is able to talk to the API but doesn't have r/w access to the sqlitedb
adduser schleuder-manager --gecos 'Schleuder Manager,,,' --disabled-password
Become the new user, create a new configuration file and ensure that only the schleuder-manager user has read and write access to this file.
0 root@herman:~# su - schleuder-manager -s /bin/bash schleuder-manager@herman:~$ touch /home/schleuder-manager/.schleuder-cli/schleuder-cli.yml schleuder-manager@herman:~$ chmod 600 /home/schleuder-manager/.schleuder-cli/schleuder-cli.yml
Edit this file with details for the connection of the schleuder-cli client to the schleuder-api-daemon including the tls fingerprint and api key retrieved above.
host: localhost port: 4443 tls_fingerprint: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The api_key has been removed in this example and should not be public. Always use secure and authenticated channels to transport this information to ensure both the confidentiality of the api_key and the integrity of the tls_fingerprint
Check that the schleuder-cli client is able to establish a connection to the api.
schleuder-manager@herman:~$ schleuder-cli version -r 3.0.1
Create an .ssh/authorized_keys
file to allow authorized members of the support team to connect remotely and use the schleuder-cli.
List creation and management
Review the output of schleuder-cli help
.