The next step is to install the public-facing applications for email and web sites and the certificates they require. Certbot will be used to obtain letsencrypt certs, but Apache httpd is installed first to enable the challenges to be satisfied. And before that, we need to install python for the cgi-bin scripts (and certbot).
Installed python3.9 using apt. In order to make this the default for
python, I ran update-alternatives:
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.9 10
Copied fuligin.conf from fuligin to
/etc/apache2/sites-available/010-ash.conf and removed
stanzas for fuligin virtual host. Also renamed opal/fuligin to ash
for server aliases. This configuration file includes the necessary
setup to handle the letsencrypt challenge.
Enabled the sites with a2ensite 010-ash
Enabled the following modules with a2enmod:
a2enmod ssl a2enmod cgi a2enmod dav_fs a2enmod dav_lock
This creates links from mods-enabled to mods-available.
Also added sites-available configuration for pix: 020-pix.conf,
and enabled it.
To build websites, must apt install tidy and also
ensure python is installed (see above).
To enable emacs org files to be updated by both Orgzly (on an Android
phone) and local emacs, I needed set the webdav directory as owned
by www-data, with my user group, setting group permissions to
rwx. Also added the following line to
/etc/apache2/envvars to ensure apache2 doesn't remove
group write access:
umask 002
Certs are needed by three applications: httpd, dovecot and exim, supporting two websites: hydrus.org.uk and reunuiongang.org.uk.
Certbot was installed via apt. To obtain the certs (when ash is internet facing web server):
certbot certonly --apache -d hydrus.org.uk,ash.hydrus.org.uk,\
chrome.hydrus.org.uk,crimson.hydrus.org.uk,mail.hydrus.org.uk,\
www.hydrus.org.uk
certbot certonly --apache -d reuniongang.org.uk,www.reuniongang.org.uk
Installing certbot also installs a cron job to update certs. Seems to run twice a day, which appears overkill.
Exim4 runs as user Debian-exim, so cannot read the certs as
downloaded by certbot. We therefore need a script to make the certs
readable by exim. This is placed in
/etc/letsencrypt/renewal-hooks/post. The contents of
post-cert.sh script are as follows:
#!/bin/sh
# Enable cert access for exim4
# Run as post-hook for certbot
CERTDIR=/etc/letsencrypt/live/hydrus.org.uk
EXIMDIR=/etc/exim4/certs
for file in privkey.pem fullchain.pem; do
cp ${CERTDIR}/${file} ${EXIMDIR}
chown Debian-exim ${EXIMDIR}/${file}
chmod 400 ${EXIMDIR}/${file}
done
systemctl restart exim4
Exim4 was already installed as part of the Debian flavour I'd
installed (XFCE4). I ran dpkg-reconfigure exim4 to end
up with these contents in update-exim4.conf.conf:
dc_eximconfig_configtype='smarthost' dc_other_hostnames='ash.hydrus.org.uk;hydrus.org.uk;reuniongang.org.uk' dc_local_interfaces='' dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='smarthost.co.uk::587' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='false' dc_mailname_in_oh='true' dc_localdelivery='mail_spool'
Followed this guide (mostly). I'm using STARTTLS and port 578 for my smarthost.
Defined local macros in /etc/exim4/exim4.conf.localmacros:
# Local macros for ash # TLS MAIN_TLS_ENABLE = yes REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = * # letsencrypt hydrus.org.uk certs, copied here after certbot renews them MAIN_TLS_PRIVATEKEY = /etc/exim4/certs/privkey.pem MAIN_TLS_CERTIFICATE = /etc/exim4/certs/fullchain.pem # Email appears to come from user@hydrus.org.uk REMOTE_SMTP_HEADERS_REWRITE = *@*.hydrus.org.uk $1@hydrus.org.uk f
This required adding a new router and transport to the exim
configuration file. The least intrusive way of doing this, for the
unsplit configuration I'm using, involves creating the appropriate
new configurations in /etc/exim4/conf.d.
The router is defined in the router sub-directory
(050_exim4-config_local_network):
# Invoke local_smpt transport for recipient addresses on domain machines
# (except those defined as local to ash) - anything ending in
# the domain name, or unadorned host names (assuming they
# contain no digits). If the recipient does not match anything
# in the domains value the smarthost router is used.
local_network:
driver = dnslookup
transport = local_smtp
domains = ! +local_domains:*.hydrus.org.uk:^[A-Za-z]*\$
The new transport is defined in the transport sub-directory
(20_exim4-config_local_smtp):
# Define a transport for local machines. This invokes
# the smtp transport with no extras.
local_smtp:
driver = smtp
Once the new configuration files have been created, the main exim4
configuration file, exim4.conf.template is re-created
by running update-exim4.conf.template -r.
Keeping the additional configuration in separate files should make an upgrade easier.
Setup user by running
/usr/share/doc/exim4-base/examples/exim-adduser. This
creates /etc/exim4/passwd. It contains the plaintext password, so
edit file to remove it (plus leading :). Then:
# chgrp Debian-exim passwd # chmod 640 passwd
Then, copy this stanza in
/etc/exim4/conf.d/auth/30_exim4-config_examples to
/etc/exim4/conf.d/auth/20_exim4-config_plain_server,
removing comment characters. This will create a plain authenticator,
protected by STARTTLS.
plain_server:
driver=plaintext
public_name =PLAIN
server_condition ="${ifcrypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lse$ server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
Run update-exim4.conf.template -r to regenerate the
exim4.conf.template file, Edit /etc/default/exim4
to add port 587 to listener options:
SMTPLISTENEROPTIONS='-oX 25:587 -oP /run/exim4/exim.pid'
Don't forget to ensure /etc/aliases is updated as
required by the local setup.
Now we can restart exim4 with:
sudo systemctl restart exim4
I run spambayes as the spam detection agent, updated (mostly) to
Python 3. The biggest issue is the Berkeley database spambayes
requires. I have a copy of the source code for
db-6.2.38.NC, so rebuilt it on ash with:
cd ~/dev/db-6.2.38.NC/build_unix make clean #(if necessary) make sudo make install
The python bindings is installed with sudo apt install
python3-bsddb3. All seems to work.
I have a USB sound card, which connects ash to a Ruark MR1 system. I
installed mpd, which is controlled from an Android
phone using MALP. For this USB sound card to be fully used by
mpd, I had to add the following to
/etc/mpd.conf:
audio_output {
type "alsa"
name "USB Audio"
device "hw:1,0"
mixer_device "hw:1"
mixer_type "hardware"
mixer_control "Speaker"
}
Cribbed from here.
